- Jul 22, 2014
- 2,525
A week after details about a severe Microsoft Office vulnerability came to light, at least one criminal group is now using it to infect users.
The group is not your regular spam botnet, but a top cyber-criminal operation known to security researchers as Cobalt, a hacking outfit that has targeted banks, ATM networks, and financial institutions for the past two years.
CVE-2017-11882 used by Cobalt hacking group
According to Reversing Labs, a UK-based cyber-security firm, the Cobalt group is now spreading RTF documents to high-value targets that are laced with exploits that take advantage of CVE-2017-11882.
This is a vulnerability in the Office Equation Editor component that allows an attacker to execute code on victims' computers without user interaction.
You don't need a grizzled veteran of the infosec community to tell you that a vulnerability with such results would be incredibly valuable for any cyber-criminal organization.
Besides the damage this vulnerability can do, Cobalt's quick adoption of CVE-2017-11882 was most likely aided by the availability of four proof of concept (PoC) exploits that have been published online in the past week [1, 2, 3, 4].
According to Reversing Labs, the Cobalt is currently sending emails laced with a booby-trapped RTF file that would utilize a CVE-2017-11882 exploit to download and run additional malicious files. The infection chain would go through multiple steps, but in the end, it would download and load a malicious DLL file that has yet to be analyzed in more depth.
Cobalt has jumped on Microsoft bugs before
....
The group is not your regular spam botnet, but a top cyber-criminal operation known to security researchers as Cobalt, a hacking outfit that has targeted banks, ATM networks, and financial institutions for the past two years.
CVE-2017-11882 used by Cobalt hacking group
According to Reversing Labs, a UK-based cyber-security firm, the Cobalt group is now spreading RTF documents to high-value targets that are laced with exploits that take advantage of CVE-2017-11882.
This is a vulnerability in the Office Equation Editor component that allows an attacker to execute code on victims' computers without user interaction.
You don't need a grizzled veteran of the infosec community to tell you that a vulnerability with such results would be incredibly valuable for any cyber-criminal organization.
Besides the damage this vulnerability can do, Cobalt's quick adoption of CVE-2017-11882 was most likely aided by the availability of four proof of concept (PoC) exploits that have been published online in the past week [1, 2, 3, 4].
According to Reversing Labs, the Cobalt is currently sending emails laced with a booby-trapped RTF file that would utilize a CVE-2017-11882 exploit to download and run additional malicious files. The infection chain would go through multiple steps, but in the end, it would download and load a malicious DLL file that has yet to be analyzed in more depth.
Cobalt has jumped on Microsoft bugs before
....
